>If my experience with folding CrackLib-2.5 into the CSO Nameserver package
>is any guide, adding the Crack rules makes a password checker too strict with
>insufficient feedback to the user.
>
>For me npasswd is part of an indepth defense. First someone has to get
>a copy of my shadow password files before they can run crack. Ideally
>what npasswd does for me is eliminate easily guessed passwords. For that
>the 90% level is fine and eliminates most user resistance.
I've had rather high success rates with the "genp" program, which I
picked up on the net some years ago. It builds rather nonsensical,
but pronuncible/memorizable passwords. As a test, I generated 5000
passwords with genp and ran them through Crack 4.1; with the stan-
dard dictionary, it was only able to break 2 passwords.
Here is a quick sample of genp's output:
nimixflor kowfleze tovuja nisnarsnow nixpaygi fortusmoy
knorfloupou shalsterknax coychouflou daitabax
Interested parties may contact me via email for the source code;
it's 112 lines of C code.
--Wes
|
|
